为了通过C#UserPrincipal在Active Directory中设置UserCannotChangePassword,我必须具有哪些权限才能委派
[英]What permissions do I have to delegate in order to set UserCannotChangePassword in Active Directory through a C# UserPrincipal
问题描述
This seemed to have been asked a few years ago at Constraint violation when trying to set "User Cannot Change Password" in active directory from c# but no response actually answered the question sufficiently. 
几年前, 在尝试从c#中设置“用户无法更改密码”的活动目录时,似乎已经问过这种情况,但没有响应实际上已经充分回答了问题。
I tried reviving the thread because I wanted to hear specifically from the originator as to wether he had solved the issue, but my response was deleted as it is, admittedly, an old question. 我尝试恢复线程,因为我想特别听取发端人的意见,因为他已经解决了这个问题,但我的回答被删除了,因为它确实是一个老问题。 I hope Resorath sees this as he may have more insight into the problem! 我希望Resorath能够看到这一点,因为他可能会更深入地了解这个问题!
Basically, the problem boils down to lack of permissions. 基本上,问题归结为缺乏权限。
More specifically, I have created a service account and delegated full modify permissions (checked all the boxes in the "Descendant User objects" list of the "Advanced" security settings DACL list of AD Users and Computers... including the ones that appeared after manually editing some file). 更具体地说,我创建了一个服务帐户并委派了完整的修改权限(选中了AD用户和计算机的“高级”安全设置DACL列表的“后代用户对象”列表中的所有框...包括之后出现的那些手动编辑一些文件)。 Yes, this includes the ntSecurityDescriptor. 是的,这包括ntSecurityDescriptor。 Also, this includes the "Modify permissions" of the "Descendant account objects" as well. 此外,这还包括“后代帐户对象”的“修改权限”。
When I create a PrincipalContext using this user, and create or load a UserPrincipal using that context, I am able to modify literally everything relating to that user except the UserCannotChangePassword property. 当我创建使用该用户PrincipalContext,并使用此背景下创建或加载UserPrincipal,我能够修改字面上与除 UserCannotChangePassword属性,用户的一切。 Upon attempting to save the user, I get an A constraint violation has occured error. 在尝试保存用户时,我收到A constraint violation has occured错误。
Please note: When adding the service account to the DomainAdmins group, I am able to make this change . 请注意:将服务帐户添加到DomainAdmins组时, 我可以进行此更改 。 Also, if I set the account as the owner of the user object I am also able to make this change . 此外,如果我将帐户设置为用户对象的所有者, 我也可以进行此更改 。 To me, this clearly signals that there is a permission I am missing. 对我而言,这清楚地表明我缺少了许可。
I have searched for hours to find information that might help me on this, and have at this point exhausted my google-fu abilities. 我已经搜索了几个小时来找到可能对我有帮助的信息,并且此时已经耗尽了我的google-fu能力。
Here is a link to the issue I opened in the corefx github page... https://github.com/dotnet/corefx/issues/34193 This includes a sample application demonstrating the problem. 这是我在corefx github页面中打开的问题的链接... https://github.com/dotnet/corefx/issues/34193这包括一个演示问题的示例应用程序。
Thanks! 谢谢!
1 个解决方案
解决方案1
1 已采纳 2019-06-25 14:21:26
It was brought to my attention I never posted the solution I was given here. 这引起了我的注意,我从未发布过我在这里给出的解决方案。 It is a bug in the corefx library and there is a fix we haven't gotten around to implementing and making a PR for in the issue I mentioned, https://github.com/dotnet/corefx/issues/34193 . 这是corefx库中的一个错误,在我提到的问题中,我们还没有解决实现和制作PR的问题, https://github.com/dotnet/corefx/issues/34193 。 If anyone else needs this then feel free to fix it yourselves as well... Hopefully by the time anyone else sees this it will have been fixed :-) 如果其他人需要这个,那么随时也可以自己解决它...希望当其他人看到它时它将被修复:-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.